In a recent Duolingo data breach, attackers scrapped the personal information of 2.6 million users before offering it for sale on a hacking forum for $1,500.
Duolingo, known for its interactive and gamified approach, is a widely-used online language learning platform that provides free language courses to users globally. The Duolingo data breach took place in January but the effects are now coming to light.
The exposed data included a mixture of publicly available login names and real names, as well as non-public information like email addresses and internal details related to the Duolingo service. This breach posed a significant risk, particularly due to the inclusion of email addresses, which could be exploited for targeted phishing attacks.
When questioned about the incident, Duolingo confirmed that the data had been scraped from publicly accessible user profiles and assured users that an investigation was underway to determine if additional security measures were needed. However, Duolingo did not directly address the issue of email addresses being part of the leaked data, which raised concerns among affected users.
The scraped data was made available on a new version of the Breached hacking forum for a mere 8 site credits, equivalent to $2.13. This data was obtained through an exposed application programming interface (API) that had been openly shared since at least March 2023. Researchers had documented how to use this API publicly, allowing anyone to input a username and retrieve JSON output containing a user’s public profile information. Importantly, it was also possible to input an email address into the API and confirm its association with a Duolingo account.
Even though the API’s abuse had been reported to Duolingo in January, it remained accessible to anyone on the web. This allowed the perpetrator to input millions of email addresses, likely obtained from previous data breaches, into the API, ultimately creating a dataset containing both public and non-public information.
Additionally, a threat actor highlighted specific fields within the scraped data, indicating Duolingo users with higher permissions than regular users, making them more valuable targets for phishing attacks. Despite inquiries from BleepingComputer, Duolingo had not provided a response regarding the continued availability of the API at the time of publication.
To learn more about the Duolingo Data Breach, read more on BleepingComputer.
Duolingo Data Breach: What to Do Now
Duolingo users should be careful of any emails that look like they come from the language software. Bad actors may try to access information about you by emailing password confirmations, asking you to download files, or sending other, unrelated phishing attacks. If you are a business owner, make sure your employees don’t use business emails for personal use, like Duolingo.
Worried about your data security? Take our FREE cybersecurity assessment to find out your organization’s level of risk!